book

Mastering Kubernetes - Fourth Edition

Name: Mastering Kubernetes - Fourth Edition
Author: Gigi Sayfan
ISBN: 9781804611395

by Gigi Sayfan

June 2023

Intermediate to advanced

746 pages

18h 20m

English

Packt Publishing

Read now

Unlock full access

Preface
Who this book is forWhat this book coversTo get the most out of this bookGet in touch
Understanding Kubernetes Architecture
What is Kubernetes?What Kubernetes is notUnderstanding container orchestrationPhysical machines, virtual machines, and containersThe benefits of containersContainers in the cloudCattle versus petsKubernetes conceptsNodeClusterControl planePodLabelLabel selectorAnnotationServiceVolumeReplication controller and replica setStatefulSetSecretNameNamespaceDiving into Kubernetes architecture in depthDistributed systems design patternsSidecar patternAmbassador patternAdapter patternMulti-node patternsLevel-triggered infrastructure and reconciliationThe Kubernetes APIsResource categoriesKubernetes componentsControl plane componentsNode componentsKubernetes container runtimesThe Container Runtime Interface (CRI)DockercontainerdCRI-OLightweight VMsSummary
Creating Kubernetes Clusters
Getting ready for your first clusterInstalling Rancher DesktopInstallation on macOSInstallation on WindowsAdditional installation methodsMeet kubectlKubectl alternatives – K9S, KUI, and LensK9SKUILensCreating a single-node cluster with MinikubeQuick introduction to MinikubeInstalling MinikubeInstalling Minikube on WindowsInstalling Minikube on macOSTroubleshooting the Minikube installationChecking out the clusterDoing workExamining the cluster with the dashboardCreating a multi-node cluster with KinDQuick introduction to KinDInstalling KinDDealing with Docker contextsCreating a cluster with KinDDoing work with KinDAccessing Kubernetes services locally through a proxyCreating a multi-node cluster with k3dQuick introduction to k3s and k3dInstalling k3dCreating the cluster with k3dComparing Minikube, KinD, and k3dHonorable mention – Rancher Desktop Kubernetes clusterCreating clusters in the cloud (GCP, AWS, Azure, and Digital Ocean)The cloud-provider interfaceCreating Kubernetes clusters in the cloudGCPGKE AutopilotAWSKubernetes on EC2Amazon EKSFargateAzureDigital OceanOther cloud providersOnce upon a time in ChinaIBM Kubernetes serviceOracle Container ServiceCreating a bare-metal cluster from scratchUse cases for bare metalWhen should you consider creating a bare-metal cluster?Understanding the processUsing the Cluster API for managing bare-metal clustersUsing virtual private cloud infrastructureBuilding your own cluster with KubesprayBuilding your cluster with Rancher RKERunning managed Kubernetes on bare metal or VMsGKE AnthosEKS AnywhereAKS ArcSummary
High Availability and Reliability
High availability conceptsRedundancyHot swappingLeader electionSmart load balancingIdempotencySelf-healingHigh availability best practicesCreating highly available clustersMaking your nodes reliableProtecting your cluster stateClustering etcdProtecting your dataRunning redundant API serversRunning leader election with KubernetesMaking your staging environment highly availableTesting high availabilityHigh availability, scalability, and capacity planningInstalling the cluster autoscalerConsidering the vertical pod autoscalerAutoscaling based on custom metricsLarge cluster performance, cost, and design trade-offsBest effortMaintenance windowsQuick recoveryZero downtimeSite reliability engineeringPerformance and data consistencyChoosing and managing the cluster capacityChoosing your node typesChoosing your storage solutionsTrading off cost and response timeUsing multiple node configurations effectivelyBenefiting from elastic cloud resourcesAutoscaling instancesMind your cloud quotasManage regions carefullyConsidering container-native solutionsPushing the envelope with KubernetesImproving the performance and scalability of KubernetesCaching reads in the API serverThe pod lifecycle event generatorSerializing API objects with protocol buffersetcd3gRPC instead of RESTLeases instead of TTLsWatch implementationState storageOther optimizationsMeasuring the performance and scalability of KubernetesThe Kubernetes SLOsMeasuring API responsivenessMeasuring end-to-end pod startup timeTesting Kubernetes at scaleIntroducing the Kubemark toolSetting up a Kubemark clusterComparing a Kubemark cluster to a real-world clusterSummary
Securing Kubernetes
Understanding Kubernetes security challengesNode challengesNetwork challengesImage challengesConfiguration and deployment challengesPod and container challengesOrganizational, cultural, and process challengesHardening KubernetesUnderstanding service accounts in KubernetesHow does Kubernetes manage service accounts?Accessing the API serverAuthenticating usersImpersonationAuthorizing requestsUsing admission control pluginsSecuring podsUsing a private image repositoryImagePullSecretsSpecifying a security context for pods and containersPod security standardsProtecting your cluster with AppArmorWriting AppArmor profilesPod Security AdmissionManaging network policiesChoosing a supported networking solutionDefining a network policyLimiting egress to external networksCross-namespace policiesThe costs of network policiesUsing secretsStoring secrets in KubernetesConfiguring encryption at restCreating secretsDecoding secretsUsing secrets in a containerManaging secrets with VaultRunning a multi-tenant clusterThe case for multi-tenant clustersUsing namespaces for safe multi-tenancyAvoiding namespace pitfallsUsing virtual clusters for strong multi-tenancySummary
Using Kubernetes Resources in Practice
Designing the Hue platformDefining the scope of HueSmart reminders and notificationsSecurity, identity, and privacyHue componentsUser profileUser graphIdentityAuthorizerExternal servicesGeneric sensorGeneric actuatorUser learnerHue microservicesPluginsData storesStateless microservicesServerless functionsEvent-driven interactionsPlanning workflowsAutomatic workflowsHuman workflowsBudget-aware workflowsUsing Kubernetes to build the Hue platformUsing kubectl effectivelyUnderstanding kubectl manifest filesapiVersionkindmetadataspecDeploying long-running microservices in podsCreating podsDecorating pods with labelsDeploying long-running processes with deploymentsUpdating a deploymentSeparating internal and external servicesDeploying an internal serviceCreating the hue-reminders serviceExposing a service externallyIngressAdvanced schedulingNode selectorTaints and tolerationsNode affinity and anti-affinityPod affinity and anti-affinityPod topology spread constraintsThe deschedulerUsing namespaces to limit accessUsing Kustomization for hierarchical cluster structuresUnderstanding the basics of KustomizeConfiguring the directory structureApplying KustomizationsPatchingKustomizing the entire staging namespaceLaunching jobsRunning jobs in parallelCleaning up completed jobsScheduling cron jobsMixing non-cluster componentsOutside-the-cluster-network componentsInside-the-cluster-network componentsManaging the Hue platform with KubernetesUsing liveness probes to ensure your containers are aliveUsing readiness probes to manage dependenciesUsing startup probesEmploying init containers for orderly pod bring-upPod readiness and readiness gatesSharing with DaemonSet podsEvolving the Hue platform with KubernetesUtilizing Hue in an enterpriseAdvancing science with HueEducating the kids of the future with HueSummary
Managing Storage
Persistent volumes walk-throughUnderstanding volumesUsing emptyDir for intra-pod communicationUsing HostPath for intra-node communicationUsing local volumes for durable node storageProvisioning persistent volumesCreating persistent volumesCapacityVolume modeAccess modesReclaim policyStorage classVolume typeMount optionsProjected volumesserviceAccountToken projected volumesCreating a local volumeMaking persistent volume claimsMounting claims as volumesRaw block volumesCSI ephemeral volumesGeneric ephemeral volumesStorage classesDefault storage classDemonstrating persistent volume storage end to endPublic cloud storage volume types – GCE, AWS, and AzureAWS Elastic Block Store (EBS)AWS Elastic File System (EFS)GCE persistent diskGoogle Cloud FilestoreAzure data diskAzure fileGlusterFS and Ceph volumes in KubernetesUsing GlusterFSCreating endpointsAdding a GlusterFS Kubernetes serviceCreating podsUsing CephConnecting to Ceph using RBDRookIntegrating enterprise storage into KubernetesOther storage providersThe Container Storage InterfaceAdvanced storage featuresVolume snapshotsCSI volume cloningStorage capacity trackingVolume health monitoringSummary
Running Stateful Applications with Kubernetes
Stateful versus stateless applications in KubernetesUnderstanding the nature of distributed data-intensive appsWhy manage the state in Kubernetes?Why manage the state outside of Kubernetes?Shared environment variables versus DNS records for discoveryAccessing external data stores via DNSAccessing external data stores via environment variablesConsuming a ConfigMap as an environment variableUsing a redundant in-memory stateUsing DaemonSet for redundant persistent storageApplying persistent volume claimsUtilizing StatefulSetWorking with StatefulSetsRunning a Cassandra cluster in KubernetesA quick introduction to CassandraThe Cassandra Docker imageExploring the build.sh scriptExploring the run.sh scriptHooking up Kubernetes and CassandraDigging into the Cassandra configuration fileThe custom seed providerCreating a Cassandra headless serviceUsing StatefulSet to create the Cassandra clusterDissecting the StatefulSet YAML fileSummary
Deploying and Updating Applications
Live cluster updatesRolling updatesComplex deploymentsBlue-green deploymentsCanary deploymentsManaging data-contract changesMigrating dataDeprecating APIsHorizontal pod autoscalingCreating a horizontal pod autoscalerCustom metricsKedaAutoscaling with kubectlPerforming rolling updates with autoscalingHandling scarce resources with limits and quotasEnabling resource quotasResource quota typesCompute resource quotaStorage resource quotaObject count quotaQuota scopesResource quotas and priority classesRequests and limitsWorking with quotasUsing namespace-specific contextCreating quotasUsing limit ranges for default compute quotasContinuous integration and deploymentWhat is a CI/CD pipeline?Designing a CI/CD pipeline for KubernetesProvisioning infrastructure for your applicationsCloud provider APIs and toolingTerraformPulumiCustom operatorsUsing CrossplaneSummary
Packaging Applications
Understanding HelmThe motivation for HelmThe Helm 3 architectureHelm release secretsThe Helm clientThe Helm libraryHelm 2 vs Helm 3Using HelmInstalling HelmInstalling the Helm clientFinding chartsAdding repositoriesInstalling packagesChecking the installation statusCustomizing a chartAdditional installation optionsUpgrading and rolling back a releaseDeleting a releaseWorking with repositoriesManaging charts with HelmTaking advantage of starter packsCreating your own chartsThe Chart.yaml fileVersioning chartsThe appVersion fieldDeprecating chartsChart metadata filesManaging chart dependenciesUtilizing additional subfields of the dependencies fieldUsing templates and valuesWriting template filesTesting and troubleshooting your chartsEmbedding built-in objectsFeeding values from a fileHelm alternativesKustomizeCuekapp-controllerSummary

Exploring Kubernetes Networking
Understanding the Kubernetes networking modelIntra-pod communication (container to container)Inter-pod communication (pod to pod)Pod-to-service communicationLookup and discoverySelf-registrationServices and endpointsLoosely coupled connectivity with queuesLoosely coupled connectivity with data storesKubernetes ingressDNS in KubernetesCoreDNSKubernetes network pluginsBasic Linux networkingIP addresses and portsNetwork namespacesSubnets, netmasks, and CIDRsVirtual Ethernet devicesBridgesRoutingMaximum transmission unitPod networkingKubenetRequirementsSetting the MTUThe CNIThe container runtimeThe CNI pluginKubernetes and eBPFKubernetes networking solutionsBridging on bare-metal clustersThe Calico projectWeave NetCiliumEfficient IP allocation and routingIdentity-based service-to-service communicationLoad balancingBandwidth managementObservabilityUsing network policies effectivelyUnderstanding the Kubernetes network policy designNetwork policies and CNI pluginsConfiguring network policiesImplementing network policiesLoad balancing optionsExternal load balancersConfiguring an external load balancerFinding the load balancer IP addressesPreserving client IP addressesUnderstanding even external load balancingService load balancersIngressHAProxyMetalLBTraefikKubernetes Gateway API Gateway API resourcesAttaching routes to gatewaysGateway API in actionWriting your own CNI pluginFirst look at the loopback pluginBuilding on the CNI plugin skeletonReviewing the bridge pluginSummary
Running Kubernetes on Multiple Clusters
Stretched Kubernetes clusters versus multi-cluster KubernetesUnderstanding stretched Kubernetes clustersPros of a stretched clusterCons of a stretched clusterUnderstanding multi-cluster KubernetesPros of multi-cluster KubernetesCons of multi-cluster KubernetesThe history of cluster federation in KubernetesCluster APICluster API architectureManagement clusterWork clusterBootstrap providerInfrastructure providerControl planeCustom resourcesKarmadaKarmada architectureKarmada conceptsResourceTemplatePropagationPolicyOverridePolicyAdditional capabilitiesClusternetClusternet architectureClusternet hubClusternet schedulerClusternet agentMulti-cluster deploymentClusterpediaClusterpedia architectureClusterpedia API serverClusterSynchro managerStorage layerStorage componentImporting clustersAdvanced multi-cluster searchResource collectionsOpen Cluster ManagementOCM architectureOCM cluster lifecycleOCM application lifecycleOCM governance, risk, and complianceVirtual KubeletTensile-kubeAdmiraltyLiqoIntroducing the Gardener projectUnderstanding the terminology of GardenerUnderstanding the conceptual model of GardenerDiving into the Gardener architectureManaging the cluster stateManaging the control planePreparing the infrastructureUsing the Machine controller managerNetworking across clustersMonitoring clustersThe gardenctl CLIExtending GardenerSummary
Serverless Computing on Kubernetes
Understanding serverless computingRunning long-running services on “serverless” infrastructureRunning functions as a service on “serverless” infrastructureServerless Kubernetes in the cloudAzure AKS and Azure Container InstancesAWS EKS and FargateGoogle Cloud RunKnativeKnative servingInstall a quickstart environmentThe Knative Service objectCreating new revisionsThe Knative Route objectThe Knative Configuration objectKnative eventingGetting familiar with Knative eventing terminologyThe architecture of Knative eventingChecking the scale to zero option of KnativeKubernetes Function-as-a-Service frameworksOpenFaaSDelivery pipelineOpenFaaS featuresOpenFaaS architectureTaking OpenFaaS for a rideFissionFission executorFission workflowsExperimenting with FissionSummary
Monitoring Kubernetes Clusters
Understanding observabilityLoggingLog formatLog storageLog aggregationMetricsDistributed tracingApplication error reportingDashboards and visualizationAlertingLogging with KubernetesContainer logsKubernetes component logsCentralized loggingChoosing a log collection strategyCluster-level central loggingRemote central loggingDealing with sensitive log informationUsing Fluentd for log collectionCollecting metrics with KubernetesMonitoring with the Metrics ServerThe rise of PrometheusInstalling PrometheusInteracting with PrometheusIncorporating kube-state-metricsUtilizing the node exporterIncorporating custom metricsAlerting with AlertmanagerVisualizing your metrics with GrafanaConsidering LokiDistributed tracing with KubernetesWhat is OpenTelemetry?OpenTelemetry tracing conceptsIntroducing JaegerJaeger architectureInstalling JaegerTroubleshooting problemsTaking advantage of staging environmentsDetecting problems at the node levelProblem daemonsDashboards vs. alertsLogs vs metrics vs. error reportsDetecting performance and root cause with distributed tracingSummary
Utilizing Service Meshes
What is a service mesh?Choosing a service meshEnvoyLinkerd 2KumaAWS App MeshMæshIstioOSM (Open Service Mesh)Cilium Service MeshUnderstanding the Istio architectureEnvoyPilotCitadelGalleyIncorporating Istio into your Kubernetes clusterPreparing a minikube cluster for IstioInstalling IstioInstalling BookInfoWorking with IstioTraffic managementSecurityIstio identityIstio certificate managementIstio authenticationIstio authorizationMonitoring and observabilityIstio access logsMetricsDistributed tracingVisualizing your service mesh with KialiSummary
Extending Kubernetes
Working with the Kubernetes APIUnderstanding OpenAPISetting up a proxyExploring the Kubernetes API directlyUsing Postman to explore the Kubernetes APIFiltering the output with HTTPie and jqAccessing the Kubernetes API via the Python clientDissecting the CoreV1Api groupListing objectsCreating objectsWatching objectsCreating a pod via the Kubernetes APIControlling Kubernetes using Go and controller-runtimeUsing controller-runtime via go-k8sInvoking kubectl programmatically from Python and GoUsing Python subprocess to run kubectlExtending the Kubernetes APIUnderstanding Kubernetes extension points and patternsExtending Kubernetes with pluginsExtending Kubernetes with the cloud controller managerExtending Kubernetes with webhooksExtending Kubernetes with controllers and operatorsExtending Kubernetes schedulingExtending Kubernetes with custom container runtimesIntroducing custom resourcesDeveloping custom resource definitionsIntegrating custom resourcesDealing with unknown fieldsFinalizing custom resourcesAdding custom printer columnsUnderstanding API server aggregationBuilding Kubernetes-like control planesWriting Kubernetes pluginsWriting a custom schedulerUnderstanding the design of the Kubernetes schedulerScheduling pods manuallyPreparing our own schedulerAssigning pods to the custom schedulerWriting kubectl pluginsUnderstanding kubectl pluginsManaging kubectl plugins with KrewCreating your own kubectl pluginEmploying access control webhooksUsing an authentication webhookUsing an authorization webhookUsing an admission control webhookConfiguring a webhook admission controller on the flyAdditional extension pointsProviding custom metrics for horizontal pod autoscalingExtending Kubernetes with custom storageSummary
Governing Kubernetes
Kubernetes in the enterpriseRequirements of enterprise softwareKubernetes and enterprise softwareWhat is Kubernetes governance?Image managementPod securityNetwork policyConfiguration constraintsRBAC and admission controlPolicy managementPolicy validation and enforcementReportingAuditPolicy enginesAdmission control as the foundation of policy enginesResponsibilities of a policy engineQuick review of open source policy enginesOPA/GatekeeperKyvernojsPolicyKubewardenKyverno deep diveQuick intro to KyvernoInstalling and configuring KyvernoInstalling pod security policiesConfiguring KyvernoApplying Kyverno policiesKyverno policies in depthUnderstanding policy settingsUnderstanding Kyverno policy rulesValidating requestsMutating resourcesGenerating resourcesAdvanced policy rulesWriting and testing Kyverno policiesWriting validating policiesWriting mutating policiesWriting generating policiesTesting policiesThe Kyverno CLIUnderstanding Kyverno testsWriting Kyverno testsRunning Kyverno testsViewing Kyverno reportsSummary
Running Kubernetes in Production
Understanding Managed Kubernetes in the cloudDeep integrationQuotas and limitsReal-world examples of quotas and limitsCapacity planningWhen should you not use Managed Kubernetes?Managing multiple clustersGeo-distributed clustersMulti-cloudHybridKubernetes on the edgeBuilding effective processes for large-scale Kubernetes deploymentsThe development lifecycleEnvironmentsSeparated environmentsStaging environment fidelityResource quotasPromotion processPermissions and access controlThe principle of least privilegeAssign permissions to groupsFine-tune your permission modelBreak glassObservabilityOne-stop shop observabilityTroubleshooting your observability stackHandling infrastructure at scaleCloud-level considerationsComputeDesign your cluster breakdownDesign your node pool breakdownNetworkingIP address space managementNetwork topologyNetwork segmentationCross-cluster communicationCross-cloud communicationCross-cluster service meshesManaging egress at scaleManaging the DNS at the cluster levelStorageChoose the right storage solutionsData backup and recoveryStorage monitoringData securityOptimize storage usageTest and validate storage performanceManaging clusters and node poolsProvisioning managed clusters and node poolsThe Cluster APITerraform/PulumiKubernetes operatorsUtilizing managed nodesBin packing and utilizationUnderstanding workload shapeSetting requests and limitsUtilizing init containersShared nodes vs. dedicated nodesLarge nodes vs, small nodesSmall and short-lived workloadsPod densityFallback node poolsUpgrading KubernetesKnow the lifecycle of your cloud providerUpgrading clustersPlanning an upgradeDetecting incompatible resourcesUpdating incompatible resourcesDealing with removed featuresUpgrading node poolsSyncing with control plane upgradesHow to perform node pool upgradesConcurrent drainingDealing with workloads with no PDBDealing with workloads with PDB zeroTroubleshootingHandling pending podsHandling scheduled pods that are not runningHandling running pods that are not readyCost managementCost mindsetCost observabilityTaggingPolicies and budgetsAlertingToolsThe smart selection of resourcesEfficient usage of resourcesDiscounts, reserved instances, and spot instancesDiscounts and creditsReserved instancesSpot instancesInvest in local environmentsSummary
The Future of Kubernetes
The Kubernetes momentumThe importance of the CNCFProject curationCertificationTrainingCommunity and educationToolingThe rise of managed Kubernetes platformsPublic cloud Kubernetes platformsBare metal, private clouds, and Kubernetes on the edgeKubernetes PaaS (Platform as a Service)Upcoming trendsSecurityNetworkingCustom hardware and devicesService meshServerless computingKubernetes on the edgeNative CI/CDOperatorsKubernetes and AIKubernetes and AI synergyTraining AI models on KubernetesRunning AI-based systems on KubernetesKubernetes and AIOpsKubernetes challengesKubernetes complexityServerless function platformsSummary
Other Books You May Enjoy
Index

Content preview from Mastering Kubernetes - Fourth Edition

4 Securing Kubernetes

In Chapter 3, High Availability and Reliability, we looked at reliable and highly available Kubernetes clusters, the basic concepts, the best practices, and the many design trade-offs regarding scalability, performance, and cost.

In this chapter, we will explore the important topic of security. Kubernetes clusters are complicated systems composed of multiple layers of interacting components. The isolation and compartmentalization of different layers is very important when running critical applications. To secure a system and ensure proper access to resources, capabilities, and data, we must first understand the unique challenges facing Kubernetes as a general-purpose orchestration platform that runs unknown workloads. Then ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781804611395

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Mastering Kubernetes - Fourth Edition

by Gigi Sayfan

4

Securing Kubernetes

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.